This is to advise you of the results of our investigation into the complaint filed by (Student) against Auburn University (University) under the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g. By letter dated August 19, 2003, the Family Policy Compliance Office (Office) informed you of the Student's allegation that the University violated 34 CFR § 99.30 of the FERPA regulations by improperly disclosing personally identifiable information from her education records without her prior written consent.

Specifically, the Student alleged that records maintained by the University "reflect an inquiry made by National Student Clearinghouse (NSC) in February [2003]" into her education records based on a request from Mr. Ahmad Simms, who is employed by a company named EdVerify. We understand that schools contract with organizations such as NSC and EdVerify to provide degree and enrollment verification for certain parties that request information about students and former students. With limited exception, FERPA requires that an educational agency or institution have the signed and dated written consent from an eligible student prior to disclosing personally identifiable information from the student's education records. 34 CFR 99.30. The Student alleges that NSC, acting on behalf of the University, conducted a search of her education records to verify certain enrollment/degree information by using her social security number, that was apparently given to the University by EdVerify, without obtaining her prior written consent. The Student indicated that EdVerify requested the information from NSC in response to a request that EdVerify received on February 21, 2003 from an individual named (Mr. X), who gave EdVerify her social security number and who did not have her prior written consent authorizing the search.

In our August 19, 2003 letter to the University, we set forth the Student's allegations and included several specific questions for the University to address. By letter dated September 18, 2003, Dr. John Fletcher, Assistant Vice President for Student Affairs, responded to the Student's allegations and provided written responses to our questions. The University denied that it violated FERPA with respect to the Student's allegations and offered the following responses:

On February 24, 2003, Auburn University received a request for a degree verification from the National Student Clearinghouse (NSC) who, by contract, is effectively designated a university official with legitimate educational interests. The initial verification request from NSC contained the student's current name and the student's name while enrolled at Auburn University. In addition the request contained date of birth and social security number to be used as verification of the correct person. The University responded to NSC with directory information which contained the student's dates of attendance and degree information. At the time of the request from NSC, [the Student] did not have an active information release in force.

Auburn's review of the complaint found that a request for degree verification was initiated by EdVerify, a private concern whose principal business is degree verification. EdVerify provided NSC with the student's name for use as a primary locator and social security number and date of birth for verification. In addition, Auburn confirmed from EdVerify that the source of their request came from (Mr. X). It is the position of Auburn University that neither the University nor its agents released any confidential or non-directory information and as such did not violate [FERPA].

However, in response to this complaint, we have reviewed our policies and also prior guidance provided by your office, concerning the services provided by the NSC and EdVerify. While we believe that our current practices with respect to [the Student's] complaint conform to FERPA requirements, in order to resolve any ambiguity, we are revising our FERPA policy to make clear that the University may make information available to third party contractors who are performing functions that otherwise would be required to be performed by University employees in the normal course of their duties.

As you are aware, FERPA provides that educational agencies or institutions may disclose a student's education records, or personally identifiable information from such records, to third parties only after obtaining the written consent of a minor student's parent, or of a student who has reached the age of 18 or is attending an institution of postsecondary education. 20 U.S.C. 1232g(b)(1) and (d). FERPA defines "education records" as:

those records, files, documents, and other materials, which (i) contain information directly related to a student; and (ii) are maintained by an educational agency or institution or by a person acting for such agency or institution.

20 U.S.C. § 1232g(a)(4)(A); 34 CFR § 99.3 "Education records." As such, a student's name and social security number meet the definition of an education record.

FERPA contains an exemption to the prior written consent requirement when the disclosure is made to other school officials, including teachers, within the agency or institution whom the agency or institution has determined to have legitimate educational interests. 34 CFR § 99.31(a)(1). An organization such as NSC, by virtue of a contractual relationship with an educational agency or institution, may be considered a school official with legitimate educational interests under 34 CFR 99.31(a)(1). This is particularly true when the organization needs to review the education records in order to provide verification services on behalf of the educational agency or institution.

Under the regulations at 34 CFR 99.7(a)(3)(iii), an educational agency or institution must include in its annual notification of rights under FERPA a statement indicating whether it has a policy of disclosing personally identifiable information under § 99.31(a)(1) and, if so, a specification of the criteria for determining who constitutes a school official and what constitutes a legitimate educational interest. Accordingly, if an educational institution or agency has included in its annual notification criteria that support the designation of an organization such as NSC as a school official with a legitimate educational interest, then FERPA would permit the educational institution to disclose personally identifiable information from education records to an organization like NSC without first obtaining the signed and dated written consent of the student. (See enclosed model notification.)

Our review of Dr. Fletcher's response to our August 19 letter indicates that the University did not designate NSC as a school official with legitimate educational interests in accordance with 34 CFR §99.7. While the University's September 18, 2003 response indicates that it will amend its annual notification to include this change, this alone will not complete our investigation of this matter.

The University explains that it "responded to NSC with directory information which contained the student's dates of attendance and degree information." When a school verifies or relies on education records to confirm or verify or match a social security number, the school is in fact making a "disclosure" of information from the student's education records. In the instant case, NSC as an agent of the University was not permitted under FERPA to match the Student's social security number with information in the University's database, which in turn, produced the directory information that was ultimately disclosed to the requester -- (Mr. X) via EdVerify -- without the Student's prior written consent. Although a school may disclose education records to an organization such as NSC as discussed above, NSC may not disclose by matching personally identifiable information, such as a social security number, from a student's education records without the student's prior written consent.

While FERPA permits certain information deemed "directory information" to be disclosed without prior written consent, this exception is inapplicable here. FERPA defines "directory information" as information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed. 20 U.S.C. § 1232g(a)(5)(A); 34 CFR § 99.3 "Directory information". Directory information includes, but is not limited to, information such as name, address, dates of attendance, degree obtained, grade level, photograph, student status (full-time, part-time, undergraduate, graduate), telephone number, date and place of birth, and participation in officially recognized activities and sports. Dates of attendance, as defined in § 99.3 of the FERPA regulations as:

(a) The period of time during which a student attends or attended an educational agency or institution. Examples of dates of attendance include an academic year, a spring semester, or a first quarter.

(b) The term does not include specific daily records of a student's attendance at an educational agency or institution.

However, an eligible student's social security number (SSN) is not considered directory information and, thus, may not be disclosed absent prior written consent.

The Student alleged that NSC, acting on behalf of the University, conducted a search of her education records to verify certain enrollment/degree information by using her social security number without her prior written consent. The University has not provided any evidence to refute this allegation. Rather, as explained by Dr. Fletcher, it appears that NSC, acting on behalf of the University, conducted a search in the University's student records database after the requester (Mr. X via EdVerify) provided NSC with the Student's first and last name, date of birth, and SSN.

As explained in your letter, NSC had access to the University's student record database. Specifically, you stated that:

Auburn University has appointed the National Student NSC (NSC) as an agent for the purposes of reporting student enrollment information to participants in student loan programs. In addition, under the DegreeVerify agreement, employers, employment agencies, background checking firms, (Request[e]rs) and others that require confirmation of degree status may contact the NSC to verify information about an individual's degrees and other educational achievements, as well as their dates of enrollment.

However, in the absence of the Student's prior written consent, NSC was not permitted to search the University's database to ascertain whether or not the Student had attended the University because the verification of the Student's SSN, constitutes a prohibited disclosure under FERPA. In other words, even though NSC asserts that it only disclosed the Student's "directory information" from the Student's education records to EdVerify, NSC used the Student's SSN to retrieve that directory information. Thus, the verification of the Student's SSN, absent the Student's prior written consent, amounts to an improper disclosure of personally identifiable information from education records under FERPA.

Accordingly, the University must revise its procedures to ensure that the prior written consent requirements of FERPA are met with regard to NSC's Degree Verification Service. In this regard, the University must include NSC as a "school official" with "legitimate educational interest" in its annual notification of rights under FERPA as discussed above. However, prior to implementing this change, the University must provide this Office with evidence that NSC as an agent of the University has revised its procedure for disclosing personally identifiable information from education records so that it complies with FERPA's prior written consent requirement. That is, this Office needs to receive evidence from the University that demonstrates that its agent, NSC, ensures that a requestor has the prior written consent of a student allowing for the disclosure of his or her social security number to conduct a search of the University's database in order to determine enrollment information or degree obtained. The University should provide specific information about NSC procedures as they relate to its enrollment search that establishes for this Office that the University does not have a policy or practice of noncompliance with FERPA with respect to the disclosure of information from student education records.

Please provide the above outlined assurances within two weeks of receipt of this letter. These assurances are necessary to indicate that the University does not have a policy or practice of noncompliance with FERPA. Thank you for your continued cooperation with regard to this matter.

Sincerely,

/s/

LeRoy S. Rooker
Director
Family Policy Compliance Office

Enclosure

cc: Student

(Letter of Closing Below)

January 18, 2005

Dr. William Walker
President
Auburn University
Auburn, Alabama 36849

Complaint No.
Family Educational Rights and Privacy Act

Dear Dr. Walker:

This is in regard to the complaint filed by (Student) against Auburn University (University) under the Family Educational Rights and Privacy Act (FERPA). Specifically, the Student alleged that records maintained by the University "reflect an inquiry made by National Student Clearinghouse (NSC) in February [2003]" into her education records based on a request from Mr. Ahmad Simms, who is employed by a company named EdVerify. The Student alleged that NSC, acting on behalf of the University, conducted a search of her education records to verify certain enrollment/degree information by using her social security number, that was apparently provided by EdVerify's employee, without obtaining her prior written consent. The Student indicated that EdVerify requested the information from NSC in response to a request that EdVerify received on February 21, 2003, from an individual (Mr. X), who gave EdVerify the Student's social security number but who did not have her prior written consent authorizing the University to disclose information from her education records.

By letter dated August 30, 2004, we informed the University of our finding that, in the absence of the Student's prior written consent, NSC was not permitted to use the Student's social security number to identify her when searching the University's database to verify that she had received a degree. (See attached finding.) Use of a student's social security number in these circumstances constitutes an implicit confirmation of the number in violation of FERPA.

As background, we understand that schools contract with organizations such as NSC or EdVerify to provide degree and enrollment verification for certain parties that request information about students and former students. NSC's Degree Verify Service appears to work as follows: For University A that has a contract with NSC for its Degree Verify Service, any third party can contact NSC directly to inquire whether or not a particular student graduated from University A. The third party, or requester, must have the student's prior written consent in order for NSC to provide this information to the requester because the requester must provide the student's social security number (SSN) (i.e., non-directory information) in order to use the Degree Verify Service, and there is no exception to the prior written consent requirement in FERPA that allows disclosure of this information without consent. NSC also provides a service, known as EnrollmentSearch, that allows educational agencies and institutions and other parties to determine where a particular student has been enrolled. This complaint relates to the University's use of NSC's Degree Verify Service.

Accordingly, we asked the University to provide this Office with evidence that NSC, as an agent of the University, has revised its procedure for confirming degree information about a student so that it complies with FERPA's prior written consent requirement. In particular, this Office requested evidence from the University that demonstrates that its agent, NSC, ensures that a requester has the prior written consent of a student allowing NSC to use his or her social security number to conduct a search of the University's database in order to determine whether a student obtained such a degree.

[Mr. Daniel R. Boehmer, President, NSC,] in his letter of October 6 agrees to adjust the procedures utilized by NSC. Specifically, and quoting directly from Mr. Boehmer's [October 6, 2004, letter to Dr. Fletcher], "when a requestor comes to the web verification page to verify degree/enrollment information, the requestor will not be provided a place to enter a social security number," thereby eliminating the possibility of utilizing the social security number as a verifier. I believe this satisfies your concern regarding prior written consent, but we await your written confirmation before authorizing NSC to make any further releases of Auburn University student information.

Furthermore, on January 7, 2005, Ms. Ingrid Brault of my staff spoke with Dr. Fletcher regarding the University's procedural change. Dr. Fletcher explained that at no time when an individual uses the University's Degree Verify Service provided by NSC will the system prompt the user to provide a social security number. That is to say that when an individual wishes to find out whether or not a particular student obtained a degree from the University, the individual will not be given the opportunity to submit the student's social security number. The Degree Verify Service used by the University will only permit the submission of appropriately designated directory information. Accordingly, there is no requirement that a student provide his or her prior written consent authorizing the use of a social security number because no such number is submitted in the process.

FERPA defines "directory information" as information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed. 20 U.S. § 1232g(a)(5)(A); 34 CFR § 99.3 "Directory information". Directory information includes, but is not limited to, information such as name, address, dates of attendance, degree obtained, grade level, photograph, student status (full-time, part-time, undergraduate, graduate), telephone number, date and place of birth, and participation in officially recognized activities and
sports. FERPA provides that a school may disclose directory information if it has given public notice of the types of information which it has designated as "directory information," the
student's right to restrict the disclosure of such information, and the period of time within which a student has to notify the school in writing that he or she does not want any or all of those types of information designated as "directory information." 20 U.S.C. § 1232g(a)(5)(B); 34 CFR § 99.37(a). Thus, FERPA requires that when an individual uses a student's directory information to inquire whether or not a student obtained a degree from the University, the directory information must be the same directory information that the University has designated in its annual notification and the student must not have opted out of the disclosure of his or her directory information.

The University has clearly indicated to this Office that requesters who use NSC's Degree Verify Service provided by NSC to ascertain whether or not a student has obtained a degree from the University can no longer input student social security numbers for NSC to match. We also note that on September 16, 2004, in response to our request, Dr. Fletcher provided a revised annual notification that meets the requirements of FERPA. Specifically, the University's annual notification now outlines NSC as an agent of the University and appropriately designates NSC as a school official with legitimate educational interest. Accordingly, we are closing this complaint and will so notify the Student by copy of this letter. Thank you for your cooperation with regard to this matter.